Thursday, June 16, 2011

U.S. Bank Must Pay Back Customers for Money Stolen by Hackers

A US court has ruled that Comerica Bank is liable for a $560,000 (£350,000) cyberheist, saying the bank should have done a better job to spot millions of dollars in fraudulent transactions after one of the bank's customers was tricked in a phishing attack two years ago.

In a June 13 decision, the court ruled in favour of Experi-Metal, a custom car parts maker that had sued Comerica after the January 2009 incident. In just a few hours, criminals tried to move millions of dollars to Eastern Europe, before Comerica's fraud department shut down the scam.

Most of the money was recovered, but in his ruling Judge Patrick Duggan of the US District Court for the Eastern District of Michigan said that the bank should have done a better job of stopping the fraud. A "bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier," Judge Duggan wrote in his ruling.

Experi-Metal's troubles started in the early morning hours of January 22, 2009. That's when the company's vice president of manufacturing, Gerry King, received a phishing email telling him to fill out what appeared to be a mundane piece of online paperwork: a "Comerica Business Connect Customer Form." He forwarded the email to Controller Keith Maslowski, who then logged into a website belonging to the criminals. With Maslowski's login credentials, the criminals were off and running. Over the next six-and-a-half hours they raced to steal as much of Experi-Metal's money as they could before their window of opportunity closed.